Monitoring Unapproved Electronic Communications Use and Compliance

The lines between personal and business communications continue to blur and regulatory agencies are taking notice. Employees are required to leverage company-approved channels (for example, corporate-owned devices or applications that allow the firm to retain employee messages) to send electronic business communications; however, in this remote working environment, many are turning to unapproved channels (e.g., WhatsApp) to conduct business. These unapproved channels leave regulated financial firms at risk of not retaining records of business activities, in violation of regulatory statutes. Regulators, including the U.S. Securities and Exchange Commission, the Commodity Futures Trading Commission, and the Financial Industry Regulatory Authority have all levied significant fines against firms that conduct business activity on unapproved channels.

Monitoring Electronic Communications is Complex and Requires Firm Coordination

The use of unapproved electronic communication channels presents a unique challenge for financial institutions. For one, the topic is a highly complex one without clearly established precedent or industry best practices. While regulations dictate the specific retention requirements that firms must adhere to, the actual implementation of these requirements and the associated frameworks, processes, and controls is unclear. Each firm may have its preferred methodology for satisfying the requirements based on available resources, risk exposure and tolerance, technology infrastructure, and business-specific nuances. As a result, institutions facing this issue are often making strategic decisions against a moving target.

Complex regulatory requirements and the need to coordinate resources across the firm are key to solving unapproved channel use. In addition to spanning different lines of business and geographic locations, the issue impacts and requires buy-in from almost all firm disciplines, including Technology, Compliance, Risk, Legal, Controls, Human Resources, and all lines of defense. Given the level of risk and heightened regulatory oversight, it is critical to involve senior stakeholders who have the ability and authority to make key program decisions.

The unique complexities associated with unapproved channel use demand a centralized program. While program design may vary by firm, core initial responsibilities should include establishing the appropriate level of prioritization and senior oversight for the program, confirming regulatory scope and establishing associated program workstreams, identifying required stakeholders across the firm, and assigning sufficient internal and external resources. Once established, the program should assess the firm’s current state infrastructure and its ability to monitor and report on unapproved channel use against regulations (e.g., policies and procedures, controls, technology) and appropriately address any identified gaps.

Any such assessment should consider and account for the following:

• Approved Channels — How does the firm obtain approval for and onboard new channels required for the execution of business as usual (BAU) activities? How does the firm identify unapproved channels being used by employees that may require onboarding?
• Retention & Surveillance — How does the firm establish and monitor evolving regulatory record retention and surveillance requirements? Does the firm have appropriate technology and protocols to ensure that communications are effectively retained and surveilled for required employees (including communications identified on unapproved channels)?
• Texting Solutions — What texting solutions does the firm deploy to enable employees to perform their BAU activities on channels that comply with regulatory retention requirements? How does the firm assess whether such solutions are fit for purpose? How does the firm monitor solution usage to ensure employee usage of deployed solutions is in line with expectations?
• Employee Awareness — How does the firm communicate requirements surrounding use of approved electronic communication channels to employees (e.g., policies and procedures, training, periodic employee attestations, multi-channel communications to employees)?
• Population Management — How does the firm determine which employees should be subject to retention and surveillance policies, as well as scoped in for associated processes and controls (e.g., deployment of texting solutions, provision of training and attestations)? Does the firm have appropriate technology in place to ensure in-scope employees are fed into required systems and processes? 
• Consequences of Violations — What frameworks and guidelines does the firm have in place to identify, review, and disposition instances of unapproved channel use?
• Manager Awareness & Accountability — What tools and metrics does the firm have to ensure that managers are made aware of potential unapproved channel use by their employees? How does the firm incorporate metrics into disciplinary frameworks to create accountability and instill a culture of compliance from the top down?

With a remote and largely decentralized workforce, it can be challenging for institutions to determine when unapproved channels are being used to conduct business and to take appropriate steps to respond to potential policy violations. Despite these challenges, financial institutions must be proactive about the identification and mitigation of unapproved channel use, as a failure to be vigilant can damage the firm’s reputation and bottom line.

This article is co-authored by Ryan Brush.